New Zealand Privacy Chief Backs $1 Million Fines for Breaches

New Zealand's privacy commissioner is recommending new civil penalties against companies of up to NZ$1 million (US$718,000) for a "serious" data breach to keep up with sterner penalties adopted by Australia and the European Union.

"In light of international trends and current conditions, privacy enforcement sanctions no longer appear adequate to deal with serious breaches," writes Privacy Commissioner John Edwards in a 27-page recommendation to the government. "Additional civil enforcement sanctions for serious breaches of privacy are needed."

The country's Privacy Act, which went into effect in 1993, contains possible breach-related criminal penalties of either $2,000 or $10,000. But those types of cases are intensive for the government to prosecute due to complex criminal process rules, and the fines are relatively low, Edwards writes.

New Zealand has been considering revising its Privacy Act for many years. Parliament has yet to pass legislation, but it is expected to act this year. The largest change would be a requirement that organizations report data breaches to regulators and the public (see Australia, New Zealand Still Mulling Data Breach Laws).

Edwards' review includes five other recommendations covering data portability, compliance, anonymized data, a narrowing of defenses against accusations of a breach and new rules concerning already-public data, such as electoral rolls and land registers.

The country's Law Commission published a lengthy review of the Privacy Act in 2011, but Edwards writes its suggested reforms aren't keeping pace with rapidly evolving data-driven business models.

"This new environment is revealing or confirming gaps and pressure points that add to those identified or considered in previous reviews," he writes.

Steeper Penalties

Edwards' recommendations would give his office the power to apply to the High Court for civil penalties of up to $100,000 on an individual and $1 million for a corporation for a very "serious" breach or repeated violations.

Under the draft legislation, "serious" breaches would be those that pose a risk of harm, such as loss, injury, significant humiliation or adverse effects on rights or benefits.

The proposal for larger fines reflects an expanding view worldwide that data breaches should come with more serious financial consequences, Edwards writes.

The European General Data Protection Regulation, which comes into force in May 2018, gives authorities the power to impose noncompliance penalties of 20 million Euros (US$21 million) or up to 4 percent of a company's global revenue, whichever is greater (see Mandatory Breach Notifications: Europe's Countdown Begins).

"The international context has also seen significant developments," Edwards writes. "These should now be taken into account in preparing revisions to New Zealand's privacy law."

Five years ago, Australia amended its Privacy Act to increase civil penalties. The Office of the Australian Information Commissioner can apply to the Federal Court for fines up to $1.7 million for violations.

Data Anonymization

Governments are increasingly seeking to release large data sets to the public for external analysis and transparency. But those well-intended efforts have sometimes resulted in significant privacy lapses.

The dangers of data that has been inadequately anonymized are well known. Australia ran into trouble when its Department of Health released a 30-year sampling of pharmaceutical benefits claims Australians made under Medicare, the country's public health service (see Australian Health Breach Exposes Danger of 'Anonymous' Data).

Researchers showed it was possible to decrypt codes that identified service providers. They were unsuccessful, however, in decrypting patient IDs.

As a result, last year the Australian government proposed a change to the Privacy Act that would make it an offense to de-anonymize data sets. Although well intended, it's questionable in an age of anonymous public data dumps whether such a measure would prove an effective deterrent.

Edwards proposes that New Zealand's Privacy Act should have a provision that requires entities holding personal data to take adequate steps to anonymize it before public release. Also, the public "should have a means of redress if they suffer harm as a result of being re-identified from supposedly anonymous data," he writes.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.